Configuring single sign-on for IBM Content Navigator by using Tivoli Access Manager for e-business on WebSphere Application Server (FileNet P8)

Product documentation

Abstract

This document contains the step-by-step instructions for configuring single sign-on (SSO) for IBM Content Navigator with a FileNet P8 repository by using Tivoli Access Manager for e-business Sign-On and WebSEAL on WebSphere Application Server.

Content

To configure single sign-on integration between IBM Access Manager for e-business and IBM Content Navigator, you must:

Before you begin Ensure that you have the appropriate prerequisite software installed and configured in your environment.

If you plan to use Tivoli Access Manager for e-business for SSO, you must be aware of the following restrictions:

You use IBM Content Navigator to connect to only IBM FileNet P8 repositories. If you configure the IBM Content Navigator web application to connect to IBM Content Manager or IBM Content Manager OnDemand repositories, you cannot use single sign-on.

IBM Content Navigator for Microsoft Office is not supported if you deploy IBM Content Navigator with Tivoli Access Manager for e-business for SSO. If you use IBM Content Navigator for Microsoft Office, you must deploy IBM Content Navigator in a non-SSO environment or in an SSO environment that supports IBM Content Navigator for Microsoft Office.

Configure your IBM Content Navigator server with Tivoli Access Manager for e-business by following the steps provided for Application Engine in chapter 4, "Single sign-on using Tivoli Access Manager for e-business" of the Single Sign-On Solutions for IBM FileNet P8 (PDF)IBM Redbooks publication.

Important: When you refer to the Application Engine documentation:

Replace all references to Application Engine with IBM Content Navigator.

Skip the step to create the junction in section 4.2.2.

Complete all of the steps up to section 4.2.6. Do not deploy IBM Content Navigator before you complete the remaining tasks.

HA systems: For the Trust Association Interceptor (TAI) to establish trust for a request, it requires that the SvrSslCfg is run for the Java Virtual Machine on the Application Server and will result in creating the PDPerm.properties file on each application server.

Create two junctions, one for IBM Content Navigator and one for the integrated help system using the server task pdadmin command on the Tivoli Access Manager WebSEAL server. Follow the steps in section 4.2.2 "Create the junction" in the Single Sign-On Solutions for IBM FileNet P8 (PDF) IBM Redbooks publication. For more information about the syntax and the options that you use to create a junction, see the server task create entry in the WebSEAL command line reference.

Important: When you create the junctions, keep the following information in mind:

IBM Content Navigator and the integrated help system support only transparent junctions.

Run all of the configuration and deployment tasks that apply to your system. For more information, see " target="_blank">Configuring and deploying IBM Content Navigator.

IBM Content Navigator, Version 2.0.2 and 2.0.3 users: When you run the Configure the IBM Content Navigator Web Application task, ensure that you select Application server authentication for the IBM Content Navigator authentication option.

Optional. WebSEAL has the option to prevent cross-site scripting, which is a common security problem for web servers. To enable this option, add the HTTPOnly atttribute to the Session and Failover Set-Cookie headers and change the value of the use-http-onlycookies in the server stanza of the WebSEAL configuration file to yes. The WebSEAL default value is use-http-only-cookies=no.